Network Troubleshooting: TCP SYN Analysis

I've worked in the networking field since 1989 and never surprised at how many times basic protocol knowledge and analysis skills come into play. Basic knowledge of protocols is becoming essential regardless if you are in the security, server, desktop or networking fields.

My clients tell me there is no shortage of information on protocols, but find it difficult to get practical guidance. So I thought this would be the perfect opportunity to share some knowledge on some of the TCP analysis options, starting with the SYN (synchronization) protocol. TCP SYN packet analysis can help you with network troubleshooting by providing accurate response times. You can also use the SYN packet for baselining network performance, which can help you when there are performance issues.

In the video below, I use a trace file to demonstrate TCP SYN analysis.

You may recognize TCP SYN as part of the three-way handshake that's used to open or start a TCP connection. The SYN itself is very useful in calculating TCP round-trip time, which is far more accurate than any ping.

Remember that ping uses the Internet Control Message Protocol (ICMP), which is prone to many possible issues. For example, ICMP may be blocked, spoofed, rerouted or treated as a low-priority protocol. Any of these scenarios would result in skewed response times.

Some application performance monitoring (APM) tools measure and track the delta time between the TCP SYN and its corresponding ACK (acknowledged) packet. A common term for this measurement is “TCP connect” time, which is used to create a baseline for performance metrics.

The manual method of performing the same measurement is to use a TCP conversation filter -- same IP addresses and TCP port numbers --  in combination with the TCP SYN FLAG.

In my next blogs, I will cover other TCP analysis options, including WIN, MSS, SACK_PERM, and WS. In each, I will examine how the option helps with network analysis and troubleshooting.